"Internationalized Domain Names," by Eric A. Hall. For predominately English-speaking countries, international characters might seem irrelevant, but large-scale changes to the global infrastructure will affect every network whose users communicate internationally. For example, sending email to users in another country might eventually require an upgrade to Internationalized Domain Names (IDNs). Companies selling products or services worldwide might want to register IDNs that accurately represent their wares, and anyone with international clientele must be prepared for support issues. Breaking the Internet's dependency on seven-bit ASCII is a good place to start. Hall describes the move toward IDNs, as proposed last year in IETF RFC 3490, "Internationalizing Domain Names in Applications (IDNA).""WS-Security Makes SOAP Safe," by Andrew Conry-Murray. SOAP messages are constructed in human-readable XML, which means message content can easily be observed and possibly modified. To ensure that messages aren't tampered with or that sensitive data (such as credit card numbers or medical information) isn't disclosed, Web Services Security (WS-Security) adds extensions that enable all or part of a SOAP message to be encrypted and digitally signed. The Web services community recently reached a milestone when the Organization for the Advancement of Structured Information Standards (OASIS) ratified the specification as a standard.

July 2004

"WME Extends QoS to Wi-Fi," by Doug Allen and Andy Dornan. Although the IEEE ratified the 802.11i wireless security standard in July 2004, products guaranteed to be compatible with most of the specification have been shipping since May 2003, thanks to Wi-Fi Protected Access (WPA), a testing program from the Wi-Fi Alliance based on the most urgent security fixes in 802.11i. Now, with many Wi-Fi users upset over poor quality of service (QoS), the alliance has decided to do the same for 802.11e, the IEEE's planned QoS standard — taking parts of the standard and packaging them as Wireless Media Extensions (WME). Due to be available in September 2004, WME equipment will help Wi-Fi networks give higher priority to real-time traffic."Ethernet Services Model Phase 1," by Doug Allen and Andy Dornan. Over the next few years, the Metro Ethernet Forum (MEF) plans to develop specific definitions and templates for a robust Ethernet service with any-to-any connectivity. The industry coalition of local exchange carriers, networking companies, Ethernet service providers, and equipment vendors has already completed the first of three specifications aimed at replacing point-to-point frame relay access lines. Collectively, these specifications-based services should make Ethernet a faster, cheaper, and simpler alternative to frame relay in two ways: by beefing up performance levels and security and enabling any-to-any multipoint topology linking sites more dynamically, without the cost of nailed-up connections (completed or authenticated connections). Allen and Dornan discuss the Ethernet Services Model Phase 1, the first technical specification to come out of this effort.

Dr. Dobb's Journal, www.ddj.com

August 2004

"HTTP Response Splitting," by Amit Klein and Steve Orrin. HTTP response splitting enables various attacks, such as Web cache poisoning, cross-user defacement, page hijacking, and cross-site scripting (XSS). It's relevant to most Web environments and is the result of an application's failure to reject illegal user input; in this case, input containing malicious or unexpected characters — the carriage return and line feed characters. Klein and Orrin describe how and why the attacks work, and the relatively simple ways to avoid vulnerability.

Security

JavaPro, www.javapro.com

July/August 2004

"XML and Web Services: Are We Secure Yet?" by Mark O'Neill. Eighteen months ago, developers and users still viewed "Web services security" as an oxymoron, says O'Neill. Now, thanks to standards, Web services are more secure than ever, he claims. He asks what it means to say that an individual XML message is "secure." The answer involves applying well-known security concepts to Web services. O'Neill describes three established security concepts — CIA (confidentiality, integrity, and availability) security, AAA (authentication, authorization, and audit) security, and message-level content analysis — and explains how they apply to Web services.

Network Magazine, www.networkmagazine.com

June 2004

"Watching Over Your Network," by Rik Farrow. Farrow says that intrusion-prevention systems (IPSs) are the latest buzz in intrusion detection. He explains why he doesn't believe that IPSs can protect against all those "strangers with candy," despite vendor and analyst claims to the contrary.

July 2004

"Application-Layer Protection," by Andrew Conry-Murray. As Conry-Murray points out, security vendors regularly claim their products can protect Web, email, and other applications. But what does that mean? Applications can be attacked through the protocols that carry them, or by manipulating the application code's logic itself. Understanding how different types of attacks are carried out can help you assess your risk and better understand how to protect yourself. Conry-Murray explains the methods of application attack and presents steps toward prevention.

PC Magazine, www.pcmag.com

22 June 2004

"Essential Buying Guide: Business Security," by Robert P. Lipschutz. Businesses large and small must be proactive about security, and shopping intelligently now can protect against heavy losses in the future. This buyer's guide has five components: why you need a solid security infrastructure, what the major threats are and how to protect yourself, which features are important when shopping for security solutions, which junctions in your network are vulnerable, and how to pick the products that best fit your business size.

3 August 2004

Security Special Issue. This issue of PC contains four major security-themed articles: "Keep Your PC Safe" (home computing security), "Keep Your Office Safe" (email and enterprise security), "Keep Your Kids Safe" (how to protect children from Web-browsing dangers), and "Is Microsoft to Blame?" (should Microsoft take more responsibility in these other security areas because it provides 95 percent of the world's operating systems?).

Programming

Visual Studio Magazine, www.fawcette.com/vsm/

August 2004

"Track Changes with XML DataSets," by Bill Wagner. Datasets provide a powerful mechanism for storing information. According to Wagner, programmers can even use them to track the changes they make, as long as they make them in the right fashion. In this Q&A, he describes the available options when using XML datasets."Build Web Sites Using Master Pages," by Dino Esposito. In this excerpt from his book, Introducing Microsoft ASP.NET 2.0 (Microsoft Press), Esposito says a method to build and reuse pages must fulfill three requirements: the pages have to be easy to modify; changes shouldn't require deep recompilation of the source code; and any change must impact the application's overall performance minimally. He claims that ASP.NET 2.0 satisfies these requirements with a new technology — master pages (a kind of supertemplate) — and exploits the new ASP.NET framework's ability to merge a supertemplate with user-defined content replacements."Build Real-Time Web Images," by Roger Jennings. Location-based Web services will play an increasingly important role as handheld devices add carrier-based and GPS-positioning capabilities. Microsoft, map providers, and cellular carriers will likely offer an expanding array of geo-coded imaging Web services, and Jennings says now's the time to start exploring new VS.NET mapping applications. He describes how to use Microsoft's TerraService and MapPoint Web services to start Visual Studio .NET-based mapping projects.

Dr. Dobb's Journal, www.ddj.com

July 2004

"Java Management Extensions," by Paul Tremblett. Tremblett uses a television broadcast simulation to describe the JMX architecture and show how to create managed beans (Mbeans) — the objects used to instrument resources and render them suitable for management."Mixing ActiveX with Java," by Al Williams. Although the Microsoft Java virtual machine no longer exists, the Java Com Bridge (Jacob) open-source library essentially duplicates its ability to let Java code running under Windows connect with ActiveX objects. Williams examines how."Making .NET Assemblies Tamper Resistant," by Richard Grimes. Executing "malware" attachments to email is a prime method of spreading viruses, primarily by making changes to application files. Grimes explains the .NET file structure and shows how it prevents such alterations from being performed on .NET assemblies."Java and the OpenCable Application Platform," by Linden deCarmo. According to the author, the U.S. cable industry is making a massive investment in Java technology to escape the quagmire of proprietary network software and APIs. Java is at the core of the standards-based OpenCable Application Platform (OCAP); properly written OCAP applications can run on any OCAP-compliant North American cable network. In this article, the author looks at the strengths and weaknesses of OCAP's java interfaces as they relate to OCAP's goals.

August 2004

"Continuous Integration and .NET: Part I," by Thomas Beck. The subject of several books, continuous integration is an automated process that lets teams build and test software multiple times a day. In the first of two articles, Beck examines the building blocks of an open-source continuous integration solution, including descriptions of Java-based tools such as Ant and JUnit, which support it.

Network Management

Network Magazine, www.networkmagazine.com

June 2004

"The Long Arm of Wi-Fi," by Andy Dornan. Improved Wi-Fi equipment is available now, though it's not suitable for everyone. After all, Wi-Fi was designed to be a LAN technology — it can't match 3G or emerging standards such as 802.16 (WiMAX) and 802.20 (Wi-Mobile) in the wide area, according to Dornan. New wireless WAN technologies are already available in some areas and will slowly be rolled out nationwide over the next decade.

July 2004

"Locking Down the House," by Rik Farrow. other than denial-of-service (DoS), all attacks have the same goal: to take control of a system. The most publicized attacks involve indiscriminate, self-propagating worms such as Sasser or Blaster, while others target specific computers or networks. All depend on the ability to execute the attacker's code on victim systems. Farrow argues that a host-based intrusion-prevention system (HIPS) might be a better solution to network attacks than any network-based IPS (NIPS). However, users must be willing to pay a price in installation costs and performance."The Anti-spam Cocktail: Mix It Up to Stop Junk E-Mail," by Andrew Conry-Murray. Approximately 2.5 of the 3 billion e-mails received by Microsoft Hotmail are now spam. However, thanks to a cocktail approach that blends traditional spam filters with cutting-edge technology, spam is becoming a non-issue for corporate mail users. Researchers and vendors have stopped proselytizing individual approaches and found ways to integrate and optimize existing technologies while seeking new solutions, says the author. Machine learning is the hot anti-spam ingredient at the moment, and new products are now integrating it with black lists, content filters, spam signatures, and heuristics for a powerful anti-spam cocktail.

PC Magazine, www.pcmag.com

July 2004

"Buying Guide: Servers and Storage," by John R. Delaney and Robert P. Lipschutz. Delaney and Lipschutz describe how to choose the right server for a business by assessing performance, cost, space, and other concerns. They also examine the differences between direct-attached storage (DAS), network-area storage (NAS), storage-area network (SAN), and SCSI devices.

David Clark is a freelance writer based in Lafayette, Colorado.

Elsewhere in the IEEE Computer Society

Computer, www.computer.org/computer/

June 2004

"Securing the High-Speed Internet," by Simon S.Y. Shim et al. This article is an introduction to Computer's multi-article section on Internet security. The guest editors present an overall picture of how fast the wired and wireless Internet has grown—in worldwide and commercial use, technical complexity, and connection speeds. The articles represent a sample of how academia is responding to the need for better Internet security, and include: "Computer Security in the Real World," "Worm Epidemics in High-Speed Networks," "Making the Gigabit IPsec VPN Architecture Secure," and "A Quantitative Study of Firewall Configuration Errors."

June 2004

"Issues in High-Speed Internet Security," by Peder Jungck and Simon S.Y. Shim. Using the SQL Slammer flash worm as an example of how quickly damage can be inflicted on today's Internet, Jungck and Shim suggest that protecting networks against such fast-moving threats requires new security solutions that offer flexibility, high performance, and speed. They discuss various alternatives and improvements that could be made using existing technologies."Seamless Mobile Computing on Fixed Infrastructure," by Michael Kozuch et al. Kozuch and colleagues describe their work with Internet suspend/resume (ISR), a pervasive computing technology for rapidly personalizing and depersonalizing anonymous hardware for transient use. They define mobile computing not in terms of wireless-connected laptops, PDAs, and such, but rather the ability to use existing "thick client" computers as portals to our data, applications, and connections wherever we go.

Computing in Science & Engineering, www.computer.org/cise/

July/August 2004

"Web Engineering: The Evolution of New Technologies," by Athena I. Vakali and Georgios I. Papadimitriou. This special section brings together articles that focus on understanding and emphasizing engineering topics as they're applied in today's Web environment and infrastructure. They cover a wide range of topics under the broad categories of Web data representation, access, and effective information retrieval. Articles include "Managing XML Data: An Abridged Overview," "Information Retrieval Techniques for Peer-to-Peer Networks," "Trust Negotiations: Concepts, Systems, and Languages," "Intelligent Agents on the Web: A Review," "Web Searching and Information Retrieval," "Web Mining: Research and Practice," and "Caching and Prefetching for Web Content Distribution."

"SOLA: Lightweight Security for Access Control in IEEE 802.11," by Felix Wu, Henric Johnson, and Arne Nilsson. Currently an academic research prototype, Statistical One-Bit Lightweight Authentication (SOLA) is a robust, layer-2, one-bit-identity authentication protocol. The authors argue that SOLA might provide sufficient security at the first hop in a wireless network, assuming more robust security exists down the line, to obviate relatively more expensive link-layer authentication mechanisms.

This is because the first hop primarily authenticates origin identity rather than payload.

"The Basics of Reliable Distributed Storage Networks," by Thomas C. Jepsen Besides efficiency, enterprises need the increased reliability that distributed storage systems offer. Using storage networks to manage access to data increases performance and survivability while helping control costs. Jepsen presents a comprehensive view of distributed storage: what it is, its benefits, how enterprises implement it, and its future manifestation (IP storage).

IEEE Multimedia, www.computer.org/multimedia/

July–September 2004

"QoS Specification Languages for Distributed Multimedia Applications: A Survey and Taxonomy," by Jingwen Jin and Klara Nahrstedt Jin and Nahrstedt provide an extensive taxonomy of existing QoS specification languages. This article pays particular attention to issues derived from research into QoS-aware API design and QoS language development for multimedia systems.

IEEE Security & Privacy, www.computer.org/security/

July/August 2004

"Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns," by Jonathan Pincus and Brandon Baker. Pincus and Baker, both Microsoft security and research developers, say that vulnerabilities related to buffer overruns account for the largest share of CERT advisories. In this article, they discuss three powerful general-purpose families of exploits that go beyond traditional "stack smashing" attacks and invalidate traditional assumptions about buffer overruns.